Developers have quite a bit of access to users' address book data.

Share this story

iOS users' address books can easily be copied by apps that call on that data, and companies that make these apps can use them for purposes you might not expect. The recent controversy over the popular social networking app Path has prompted questions about developer best practices and privacy concerns for users of these apps. Can users (particularly those using iOS devices) ever let their guard down when installing social apps? It seems the answer might be "no."

Soon after Thampi posted his findings, Path's CEO Dave Morin apologized by commenting on Thampi's blog. Afterward, on Path's company blog, Morin announced all users' address book data would be wiped clean from their servers. Path also announced that it had made an update to highlight the privacy policy on its Android app. (We contacted Path CEO David Morin for comment, but he did not respond by publication time.)

Still, at the time of this writing, Path's iPhone app update only shows "enhanced contacts privacy" and bug fixes in its update notes. When we try to add new contacts to the app, we are prompted to share the address book with Path’s servers for the first time. Unless users were aware of the issue or checked the company's blog, they wouldn't otherwise know that such changes have taken place with their address book data.

A developer source shared with us Apple's guideline that Path seems to have violated: "Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used"

This policy appears to be easily circumvented, but without direct access to Apple's review data, we can't be certain about how many apps are currently violating these rules. After all, Apple's guidelines and use of the address book allow third-party developers flexibility in how they handle user data. Accessing the address book itself is within the guidelines, but developers can nevertheless use this data in an inappropriate manner.

Developer best practices are at the heart of some of the ways in which private data is being handled. Apple's developer library shows the ease with which an app can add or remove contacts from the address book, manage groups, and also find the user who is logged into the app. In the case of Path, the whole address book was uploaded to their servers.

One way Path might have avoided some of this controversy would have been to send hashed data to its servers for the e-mail addresses or other values needed by the app, which would have helped to protect users. In this case, however, the address book was uploaded without those kinds of protections, adding to the backlash when the discovery was made public.

"Hashing the user data would prevent much of this, but that could only really be done by third-party developers... if Apple did it then there wouldn't be nearly as much utility provided to developers that the current address book APIs provide," My Recipe Book and Simplegram app developer David Smith told Ars.

And compared to Android, iOS seems to make the address book more accessible and vulnerable to exploits. Charlie Miller, repeat Pwn2Own champion and principal research consultant at security firm Accuvant told Ars that iOS makes it easier to access certain user data without permission.

"The way the iOS sandbox is designed is a one-size-fits-all model. All apps have the same sandbox permissions whether it is Angry Birds or some social media app that needs access to your contacts," Miller said. "Consequently, this means Angry Birds or any other app can access your address book (or photos or whatever). In Android, each app has to request the specific permissions needed for the app to work."

The ethics of accessing a user's data in app ecosystems

If you're an iOS user, does this mean that every time you install an app you should be worried about your data being copied and used in ways you're not sure about? In essence, yes. Apple's developer guidelines are meant to prevent these things from happening, but some developers have told Ars that in practice, it's really up to the companies making the apps to be transparent and provide good customer service.

Smith, who has submitted several apps through the iOS App Store, said Path's actions were "disingenuous or negligently misinformed. The CEO of a social networking app should have a clear understanding of Apple's privacy policy and review criteria."

Share this story

Cesar Torres
Cesar is the Social Editor at Ars Technica. His areas of expertise are in online communities, human-computer interaction, usability, and e-reader technology. Cesar lives in New York City. Emailcesar.torres@arstechnica.com//Twitter@Urraca

Promise privacy, deliver user data. That's the mantra now for social networking sites. As the new phrase goes: YOU are the product.

And this is hilarious understatement about the original social networking data rapist, Faceschnook: "distinguishing itself from apps like Facebook, which is not always transparent about how it handles users' data.

I want to be upfront, I don't like Apple, but if you'd asked me what the advantages of the iPhone were I would have included that its appstore was theoretically more secure than Android. This seems to blow a hole in that assumption.

I often find it really weird that all the things Apple is supposedly better at often turn out false. I think they're still pretty good on battery life especially on laptops, bit that's about all I can think of.

Oh yeah they're also the masters of overcharging and making obscene profits, but as a consumer I don't see how that would benefit me...

I want to be upfront, I don't like Apple, but if you'd asked me what the advantages of the iPhone were I would have included that its appstore was theoretically more secure than Android. This seems to blow a hole in that assumption.

Christ, the hyperbole here really makes me want to vomit sometimes. Yes, it's shitty that iOS allows apps to access the Address Book without explicit permission. No, that doesn't "blow a hole" in the "assumption" that the App Store is more secure than the Android Market.

Quote:

I often find it really weird that all the things Apple is supposedly better at often turn out false.

Yes, because everything is black and white. One little thing and IT'S FALSE!!!

Quote:

Oh yeah they're also the masters of overcharging and making obscene profits, but as a consumer I don't see how that would benefit me...

I do wish iOS would ask permission. I don't have to love or hate Apple to agree that my entire address book shouldn't leave my phone just because I download and try out a new app. I can't trust every server thrown together by every app developer... I go to all this effort to keep my data secure, and then one app could come along and spew it out wherever.

Androids more paranoid approach here would be welcome, with a list of the data an app is going to use, and an opt-in system that lets me approve it.

Of course, the risk is that users will get in the habit of just approving everything without thinking, but the feature should be there for those who would use it.

And if it undermines consumer faith in app store systems, well, all the better, if you ask me.

Additional thought: there is some need for finer-grained controls already. I shouldn't have to allow an app permission to access location services just because I want to allow it to access my photos. Something there is being done wrong.

early on, when path gave out my actual phone number to a path friend (I only knew because he then texted me), they claimed "deactivating" (vs closing) my account was my only option. when my prollonged big deal on various social nets got zero results, I did some volunteer tech support for them on getsatisfaction. after systematically answering about half the huge backlog of unanswered privacy questions there, it became technically possible (path said) to close my account. tho I've never been able to check it to be totally sure.

Wow. I didn't know about this, and I assumed the prompt just meant the app would just make use of my address book to match against a database of registered users. I didn't realise my whole address book would be uploaded and stored. That's kind of fucking sneaky. Notice how the prompt doesn't say anything about storing your data.

It's a shame, I like Path, but I don't want them to have a stored copy of my address book for whatever reason. I've sent a mail asking for clarification (and cancellation of my account if my address book is being stored), and I've deleted the app for now.

This "permission request" stuff that Apple may introduce for the contacts - similar to what is already in place for location data - just fixes part of the problem. The thing is: a lot of apps just want to identify other people in your phone book that also use the app and thus have an account with it. It is total crap if an app may just access your entire phone book in such a case without any user authorization, but what would be won if there was a request for authorization? If the only two choices you have are "provide full access and use the damn app" and "deny access and don't use the app since it can't link you to other people", those are some really bad choices.

Thus, I'd add another option to the API: a hash over the phone number of a contact plus some app-specific salt value. That hash would be equal no matter what iPhone it is calculated on, as long as it's the same contact with the same phone number and the same app that's requesting it, in other words, the perfect identifier to match different accounts/profiles/whatever, but without giving the app all the data on a silver tablet. It wouldn't even get the phone number in clear text. You could very well leave this API function usable without user authorization, but make all the functions that access the actual address book data in clear text require per-app-authorization. That would kill the "but we need that full address book access to match accounts" argument, while still allowing for a very pleasant user experience.

So let me get this straight: If an app wants the address book, it is supposed to ask; if not, it can't have it. In this case, it got it without asking.

So, should this have been flagged since day one by the app reviewer or what?

All iOS apps have the ability to access the address book without asking the user to allow/deny. Apple's rules for accessing the address book is to get explicit permission after informing the user what you'll do with the data, but the implementation is left completely to the developer.

I think it's really strange that Apple took the time to develop a way for users to fine tune location access, and at the same time left the barn door open for arguably more sensitive information.

This policy appears to be easily circumvented, but without direct access to Apple's review data, we can't be certain about how many apps are currently violating these rules.

Arun Thampi's blog post shows you exactly how to check other apps, using mitmproxy to watch your device's traffic. This method will also allow you to see which apps are sending sensitive information in plaintext.

If anyone is dumb enough to place their personal information out on the internet, and trust people they don't know with that information, they are being very foolish. There is always someone somewhere that will want to grab that information for their own purposes, or some way the internet can be used to get at that information, no matter how many promises of security are given, no matter how many changes are made, no matter what agreements say, no matter what measures are put in place, and no matter how much integrity you think a company or organization has.

If anyone is dumb enough to place their personal information out on the internet, and trust people they don't know with that information, they are being very foolish. There is always someone somewhere that will want to grab that information for their own purposes, or some way the internet can be used to get at that information, no matter how many promises of security are given, no matter how many changes are made, no matter what agreements say, no matter what measures are put in place, and no matter how much integrity you think a company or organization has.

The problem comes when “out on the internet” = “on your own phone so you don’t have to keep in your pocket a piece of paper, and type in each time, the details of how to get hold of people you know”.

I want to be upfront, I don't like Apple, but if you'd asked me what the advantages of the iPhone were I would have included that its appstore was theoretically more secure than Android. This seems to blow a hole in that assumption.

Christ, the hyperbole here really makes me want to vomit sometimes

Me too, Apple are full of it aren't they.

Maybe you're happy with any App reading your address book. Perhaps you have yours nailed to your front door, and are happy to leave them on public transport. Maybe you have them up on a website for all to read.

Good for you. Myself, I expect you to ask for mine, I wouldn't be prepared to just hand it over, or worse, have you just take it out of my pocket. If you did, I would think you cheeky as hell. And there is NO defense you could tell me to stop my whacking you one.

I do wish iOS would ask permission. I don't have to love or hate Apple to agree that my entire address book shouldn't leave my phone just because I download and try out a new app. I can't trust every server thrown together by every app developer... I go to all this effort to keep my data secure, and then one app could come along and spew it out wherever.

Androids more paranoid approach here would be welcome, with a list of the data an app is going to use, and an opt-in system that lets me approve it.

Of course, the risk is that users will get in the habit of just approving everything without thinking, but the feature should be there for those who would use it.

And if it undermines consumer faith in app store systems, well, all the better, if you ask me.

When I was in an Android user, I couldn't delineate what each category fully meant. For example, I was never sure what "Read phone state and identity" meant, whether it would know I was on a phone call, or if it also knew what my phone number was. I would have preferred a link to a more detailed description, and as a result of my own laziness (I'm being honest here) I didn't go majorly out of my way to research something unless it really confused me why it would be requesting a particular access. Most Android owners I know tend to blow past the permissions screen, YMMV. There are some app developers that spell out why each request is done, and kudos to them.

I think it would be better to specify which ones you'll actually allow. For example, it would say that it wanted fine GPS location. You say no to that aspect, and it would warn that "X feature will not be functional", and that feature would be disabled. More difficult for the programmer, sure, but better for the user.